What's the recommended way to serialize dependent objects, especially when objects are being freshly constructed (to avoid malicious byte streams, or whatever)? For example....

After creating a (genericized, but setup through Spring for my company) fiscal calendar based on JodaTime, I'm creating the next version based on JSR310 (using the back-port for development) in preparation for Java 8.

Currently, I'm working through serialization; how am I supposed to serialize dependent objects? Most of the existing stuff has a 'single' chronology, but I don't get to rely on that (for instance, the fiscal year can start on any day during the ISO year, which means a new FiscalChronology). Something like this:

public class FiscalDate implements Serializable {
private final long epochDays;
private final FiscalChronology chronology;
// Many of the other 'date' instances also have a reference to their 'era':
private final transient FiscalEra era;
}
public class FiscalChronology implements Serializable {
// These two control year/month patterns.
private final YearPattern yearPattern;
private final MonthPattern monthPattern;
// This should be derived during deserialization, for safety reasons.
private transient final FiscalEra[] eras;
private Object readResolve() {
return FiscalChronology.create(yearPattern, monthPattern);
}
}

Should I just remove serialization? Only serialize eraValue (and rely on the serialization graph including the Chronology on its own)?

EDIT:

Related to this, what am I supposed to do for the output of toString() - should it just be the name of the era (which I'm linking to the ISO eras), and expect people to include chronology information if it's important, or always include information about the chronology?